Pixel flood attack

An image with the dimensions of 0xfafa x 0xfafa (64250x64250) is uploaded and crashes the service.

How To Perform

Download the Payload

Upload to target service

Observe for performance degradation

Technical

Hackerone founder, michiel, provided some technical incite to this issue:

We identified two problems:
1) Paperclip seems to always run the identify command with the exif:orientation option enabled, while only one Paperclip feature (auto orient) needs this option. This option caused the DoS at our side. We fixed this by monkey
patching the way Paperclip builds a geometry string. This is probably something that should get fixed in Paperclip too.
2) Paperclip started resizing the uploaded image even before it validated whether the image's dimensions were too large. We fixed this by instructing Paperclip to run validations before starting the resizing process.